--- |Goofile v1.5 | |Coded by Thomas (G13) Richards | |www.g13net.com | |code.google.com/p/goofile | ---
Goofile 1.5
usage: goofile options
-d: domain to search
-f: filetype (ex. pdf)
example:./goofile.py -d test.com -f txt
GOOFILE USAGE EXAMPL E
Search for files from a domain (-d kali.org) of the PDF filetype (-f pdf):
root@kali:~# goofile -d kali.org -f pdf
--- |Goofile v1.5 | |Coded by Thomas (G13) Richards | |www.g13net.com | |code.google.com/p/goofile | ---
59
Searching in kali.org for pdf
======================================== Files found: ==================== docs.kali.org/pdf/kali-book-fr.pdf docs.kali.org/pdf/kali-book-es.pdf docs.kali.org/pdf/kali-book-id.pdf docs.kali.org/pdf/kali-book-de.pdf docs.kali.org/pdf/kali-book-it.pdf docs.kali.org/pdf/kali-book-ar.pdf docs.kali.org/pdf/kali-book-ja.pdf docs.kali.org/pdf/kali-book-nl.pdf docs.kali.org/pdf/kali-book-ru.pdf docs.kali.org/pdf/kali-book-en.pdf docs.kali.org/pdf/kali-book-pt-br.pdf docs.kali.org/pdf/kali-book-zh-hans.pdf docs.kali.org/pdf/kali-book-sw.pdf docs.kali.org/pdf/articles/kali-linux-live-usb-install-en.pdf ==================== CATEGORIES: I N F O R M A T I O N G A T H E R I N GTAGS: I N F O G A T H E R I N G , R E C O N
hping3
HPING3 PACKAGE DESCR IPTION
hping is a command-line oriented TCP/IP packet assembler/analyzer. The interface is inspired to the ping(8) unix command, but hping isn’t only able to send ICMP echo requests. It supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covered channel, and many other features.
While hping was mainly used as a security tool in the past, it can be used in many ways by people that don’t care about security to test networks and hosts. A subset of the stuff you can do using hping:
Firewall testing
Advanced port scanning
Network testing, using different protocols, TOS, fragmentation
Manual path MTU discovery
Advanced traceroute, under all the supported protocols
Remote OS fingerprinting
60
TCP/IP stacks auditing
hping can also be useful to students that are learning TCP/IP. Source: http://www.hping.org/
hping3 Homepage | Kali hping3 Repo Author: Salvatore Sanfilippo
License: GPLv2
TOOLS INCLUDED IN THE HPING3 PACKAGE
hping3–ActiveNetworkSmashingTool
root@kali:~# hping3 -husage: hping3 host [options] -h --help show this help -v --version show version -c --count packet count
-i --interval wait (uX for X microseconds, for example -i u1000) --fast alias for -i u10000 (10 packets for second)
--faster alias for -i u1000 (100 packets for second)
--flood sent packets as fast as possible. Don't show replies. -n --numeric numeric output
-q --quiet quiet
-I --interface interface name (otherwise default routing interface) -V --verbose verbose mode
-D --debug debugging info
-z --bind bind ctrl+z to ttl (default to dst port) -Z --unbind unbind ctrl+z
--beep beep for every matching packet received Mode
default mode TCP
-0 --rawip RAW IP mode -1 --icmp ICMP mode -2 --udp UDP mode -8 --scan SCAN mode.
Example: hping --scan 1-30,70-90 -S www.target.host -9 --listen listen mode
IP
-a --spoof spoof source address
--rand-dest random destionation address mode. see the man. --rand-source random source address mode. see the man.
-t --ttl ttl (default 64) -N --id id (default random)
61
-W --winid use win* id byte ordering
-r --rel relativize id field (to estimate host traffic) -f --frag split packets in more frag. (may pass weak acl)
-x --morefrag set more fragments flag -y --dontfrag set don't fragment flag -g --fragoff set the fragment offset
-m --mtu set virtual mtu, implies --frag if packet size > mtu -o --tos type of service (default 0x00), try --tos help
-G --rroute includes RECORD_ROUTE option and display the route buffer --lsrr loose source routing and record route
--ssrr strict source routing and record route
-H --ipproto set the IP protocol field, only in RAW IP mode ICMP
-C --icmptype icmp type (default echo request) -K --icmpcode icmp code (default 0)
--force-icmp send all icmp types (default send only supported types) --icmp-gw set gateway address for ICMP redirect (default 0.0.0.0) --icmp-ts Alias for --icmp --icmptype 13 (ICMP timestamp)
--icmp-addr Alias for --icmp --icmptype 17 (ICMP address subnet mask) --icmp-help display help for others icmp options
UDP/TCP
-s --baseport base source port (default random)
-p --destport [+][+]<port> destination port(default 0) ctrl+z inc/dec -k --keep keep still source port
-w --win winsize (default 64)
-O --tcpoff set fake tcp data offset (instead of tcphdrlen / 4) -Q --seqnum shows only tcp sequence number
-b --badcksum (try to) send packets with a bad IP checksum
many systems will fix the IP checksum sending the packet so you'll get bad UDP/TCP checksum instead.
-M --setseq set TCP sequence number -L --setack set TCP ack
-F --fin set FIN flag -S --syn set SYN flag -R --rst set RST flag -P --push set PUSH flag -A --ack set ACK flag -U --urg set URG flag
-X --xmas set X unused flag (0x40) -Y --ymas set Y unused flag (0x80)
--tcpexitcode use last tcp->th_flags as exit code
--tcp-mss enable the TCP MSS option with the given value
62
Common
-d --data data size (default is 0) -E --file data from file
-e --sign add 'signature' -j --dump dump packets in hex
-J --print dump printable characters -B --safe enable 'safe' protocol
-u --end tell you when --file reached EOF and prevent rewind
-T --traceroute traceroute mode (implies --bind and --ttl 1) --tr-stop Exit when receive the first not ICMP in traceroute mode --tr-keep-ttl Keep the source TTL fixed, useful to monitor just one hop --tr-no-rtt Don't calculate/show RTT information in traceroute mode ARS packet description (new, unstable)
--apd-send Send the packet described with APD (see docs/APD.txt)
HPING3 USAGE EXAMPLE
Use traceroute mode (–traceroute), be verbose (-V) in ICMP mode (-1) against the target (www.example.com):
root@kali:~# hping3 --traceroute -V -1 www.example.com using eth0, addr: 192.168.1.15, MTU: 1500
HPING www.example.com (eth0 93.184.216.119): icmp mode set, 28 headers + 0 data bytes hop=1 TTL 0 during transit from ip=192.168.1.1 name=UNKNOWN
hop=1 hoprtt=0.3 ms
hop=2 TTL 0 during transit from ip=192.168.0.1 name=UNKNOWN hop=2 hoprtt=3.3 ms
CATEGORIES: I N F O R M A T I O N G A T H E R I N GTAGS: I N F O G A T H E R I N G , P O R T S C A N N I N G , R E C O N , S P O O F I N G
InTrace
INTRACE PACKAGE DESC RIPTION
InTrace is a traceroute-like application that enables users to enumerate IP hops exploiting existing TCP connections, both initiated from local network (local system) or from remote hosts. It could be useful for network reconnaissance and firewall bypassing.
Source: https://code.google.com/p/intrace/wiki/intrace
InTrace Homepage | Kali InTrace Repo Author: Robert Swiecki
License: GPLv3
TOOLS INCLUDED IN THE INTRACE PACKAGE
63
root@kali:~# intrace
InTrace, version 1.5 (C)2007-2011 Robert Swiecki <[email protected]>
2014/05/20 09:59:29.627368 <INFO> Usage: intrace <-h hostname> [-p <port>] [-d <debuglevel>] [-s <payloadsize>] [-6]
INTRACE USAGE EXAMPL E
Run a trace to the target host (-h www.example.com) using port 80 (-p 80) with a packet size of 4 bytes (-s 4):
root@kali:~# intrace -h www.example.com -p 80 -s 4
InTrace 1.5 -- R: 93.184.216.119/80 (80) L: 192.168.1.130/51654 Payload Size: 4 bytes, Seq: 0x0d6dbb02, Ack: 0x8605bff0
Status: Packets sent #8
# [src addr] [icmp src addr] [pkt type]
1. [192.168.1.1 ] [93.184.216.119 ] [ICMP_TIMXCEED] 2. [192.168.0.1 ] [93.184.216.119 ] [ICMP_TIMXCEED] 3. [ --- ] [ --- ] [NO REPLY] 4. [64.59.184.185 ] [93.184.216.119 ] [ICMP_TIMXCEED] 5. [66.163.70.25 ] [93.184.216.119 ] [ICMP_TIMXCEED] 6. [66.163.64.150 ] [93.184.216.119 ] [ICMP_TIMXCEED] 7. [66.163.75.117 ] [93.184.216.119 ] [ICMP_TIMXCEED] 8. [206.223.119.59 ] [93.184.216.119 ] [ICMP_TIMXCEED] CATEGORIES: I N F O R M A T I O N G A T H E R I N GTAGS: E V A S I O N , I N F O G A T H E R I N G , R E C O N
iSMTP
ISMTP PACKAGE DESCRIPTION
Test for SMTP user enumeration (RCPT TO and VRFY), internal spoofing, and relay.
iSMTP Homepage | Kali iSMTP Repo Author: Alton Johnson
License: GPLv2
TOOLS INCLUDED IN THE ISMTP PACKAGE
ismtp–SMTPuserenumerationandtestingtool
root@kali:~# ismtp--- iSMTP v1.6 - SMTP Server Tester, Alton Johnson ([email protected]) ---
64
Usage: ./iSMTP.py <OPTIONS>
Required:
-f <import file> Imports a list of SMTP servers for testing. (Cannot use with '-h'.)
-h <host> The target IP and port (IP:port). (Cannot use with '-f'.)
Spoofing:
-i <isa email> The ISA's email address. -s <sndr email> The sender's email address. -r <rcpt email> The recipient's email address.
--sr <email> Specifies both the sender's and recipient's email address. -S <sndr name> The sender's first and last name.
-R <rcpt name> The recipient's first and last name.
--SR <name> Specifies both the sender's and recipient's first and last name.
-m Enables SMTP spoof testing.
-a Includes .txt attachment with spoofed email.
SMTP enumeration:
-e <file> Enable SMTP user enumeration testing and imports email list. -l <1|2|3> Specifies enumeration type (1 = VRFY, 2 = RCPT TO, 3 = all). (Default is 3.)
SMTP relay:
-i <isa email> The ISA's email address. -x Enables SMTP external relay testing.
Misc:
-t <secs> The timeout value. (Default is 10.)
-o Creates "ismtp-results" directory and writes output to ismtp-results/smtp_<service>_<ip>(port).txt
Note: Any combination of options is supported (e.g., enumeration, relay, both, all, etc.).
65
Test a list of IPs from a file (-f smtp-ips.txt) enumerating usernames from a dictionary file (-e /usr/share/wordlists/metasploit/unix_users.txt):
root@kali:~# ismtp -f smtp-ips.txt -e /usr/share/wordlists/metasploit/unix_users.txt
--- iSMTP v1.6 - SMTP Server Tester, Alton Johnson ([email protected]) ---
Testing SMTP server [user enumeration]: 192.168.1.25:25 Emails provided for testing: 109
Performing SMTP VRFY test...
[-] 4Dgifts --- [ invalid ] [-] EZsetup --- [ invalid ] [+] ROOT --- [ success ] [+] adm --- [ success ] CATEGORIES: I N F O R M A T I O N G A T H E R I N G , S N I F F I N G / S P O O F I N GTAGS: I N F O G A T H E R I N G , R E C O N , S M T P , S N I F F I N G , S P O O F I N G
lbd
LBD PACKAGE DESCRIPT ION
lbd (load balancing detector) detects if a given domain uses DNS and/or HTTP Load-Balancing (via Server: and Date: header and diffs between server answers).
Source: http://ge.mine.nu/code/lbd
lbd Homepage | Kali lbd Repo Author: Stefan Behte
License: GPLv2
TOOLS INCLUDED IN THE LBD PACKAGE